[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL optimization

Subject: Re: ACL optimization
From: "José M. Fandiño" <ldap@fadesa.es>
Date: Fri, 05 Aug 2005 13:07:59 +0200
Cc: openldap-software@OpenLDAP.org
Organization: Inmobiliaria FADESA
References: <42F08EC4.A79C75F9@fadesa.es> <37558.131.175.154.56.1123080061.squirrel@131.175.154.56> <D410C909733ED33B46C2606F@cadabra-dsl.stanford.edu> <42F2537C.C68E3D@fadesa.es> <90E07D9D61E2A3E4B54ADBD5@cadabra-dsl.stanford.edu>

Quanah Gibson-Mount wrote:
> > As a curiosity, servers matched by the first rules are about 5 or 6 times
> > faster to response than servers matched by last rules. I thought that
> > the ACL evaluation time will be uniform because the whole set of rules
> > would be evaluated. this makes sense to someone?

...

> The one other thing I noticed about your configuration is that you had a
> 9.5MB BDB cache. This may or may not really be sufficient.  You have a
> small number of entries, but you also have a large number of attributes per
> entry, and if you have extensive indexing, that would also be a factor.

Quanah, I don't know if it makes some difference but 125 is the theorical
number of attributes (it is the raw number of attributes for the set of
objectclasses I use), the real number of attributes used by entries is 
50 approx.

> I'd be curious if you'd get a performance increase with a larger BDB cache
> size (say 100MB, where you would have set_cachesize 0 104857600 0) and see
> if that improved your results.

with 100MB the response times are almost identical, of course this time 
I have reconstructed the bdb database (slapcat, rm, slapadd)

please remember I do a heavy use of break controls in the who part of the 
rules (100 x 2 = 200 rules).

these are the times (tests were done in idle machines):

# time ldapsearch -b ou=personas,ou=cuentas,dc=domain -s sub -D cn=... -w ... -x  > /dev/null
real    0m1.482s
user    0m0.110s
sys     0m0.000s

# time ldapsearch -b ou=personas,ou=cuentas,dc=domain -s sub -D cn=... -w .. -x  > /dev/null
real    0m1.405s
user    0m0.070s
sys     0m0.000s

the second time is lower because of caching. In this test the matched identity
for the server was located last in the ACL and in the next the server identity
was first in the list:

# time ldapsearch -b ou=personas,ou=cuentas,dc=domain -s sub -D cn=... -w ... -x  > /dev/null
real    0m0.191s
user    0m0.080s
sys     0m0.000s


# time ldapsearch -b ou=personas,ou=cuentas,dc=domain -s sub -D cn=... -w ... -x  > /dev/null
real    0m0.132s
user    0m0.090s
sys     0m0.010s

as you can see there is a big difference. 

I can understand that this setup is cpu intensive, but I still can't
understand why the order is so important.

-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d- s+:+() a31 C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
------END GEEK CODE BLOCK------

Follow-Ups:
- Re: ACL optimization
  - From: "José M. Fandiño" <ldap@fadesa.es>

References:
- ACL optimization
  - From: "José M. Fandiño" <ldap@fadesa.es>
- Re: ACL optimization
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: ACL optimization
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: ACL optimization
  - From: "José M. Fandiño" <ldap@fadesa.es>
- Re: ACL optimization
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: ACL optimization
Next by Date: Re: authzTo [auf Viren überprüft]
Index(es):
- Chronological
- Thread